10 identity management metrics that matter

Frank Villavicencio |
Sept. 30, 2011

Within the IT security community, identity- and access-management (IAM) initiatives are considered high value, but are notoriously problematic to deploy.

Within the IT security community, identity- and access-management (IAM) initiatives are considered high value, but are notoriously problematic to deploy. Yet despite IAM's complexity, it represents 30 percent or more of the total information security budget of most large institutions, according to IDC (a sister company to CSO's publisher).

Ironically, the deployment difficulties stem from having to reconcile the very people and process breakdowns IAM automation is meant to solve, such as too many or too few people involved in authorizing requests, a lack of documentation for access requests and approvals, connecting to target systems with "dirty" or obsolete data, and so on. This conundrum has led to the rise of what is called identity governance.

Identity governance involves defining and executing the identity-related business processes that are most critical to the organization. For example, an engineer needs root access to the server hosting an ERP system--who needs to approve that request? Who is the one who actually takes the action that grants that access? How does that process get documented? Where is it stored, and for how long? How can we report on it during an audit?

Getting your organization's governance processes locked in is a tall order, but well worth it. One of the many benefits of proper identity governance is that it pinpoints which identity-related processes are most in need of attention. Here are 10 of the most common measurements for gauging the effectiveness of identity governance.

1. Password reset volume per month. This one is a classic in identity management, and it's key to helping organizations measure the effectiveness of their IAM programs. Businesses typically look at password-related help desk calls, account lockouts, and self-service resets per month as good indicators of password-policy effectiveness. This metric should generally trend downward, alhough there may be peaks and valleys driven by business events. If it doesn't, your organization's password policies and management tools require a closer look.

2. Average number of distinct credentials per user. Another IAM classic, and for years, a key business justification for single sign-on (SSO) initiatives. The industry average ranges from 10 to 12 unique accounts per user. Organizations should strive to bring this average down as close to one as possible.

3. Number of uncorrelated accounts. These are accounts that have no owner, and occur most frequently when a change happens, such as a promotion or a termination, and that person's accounts were not transitioned properly. Too many uncorrelated accounts can lead to unnecessary risks--they are open, live accounts that can be easily hijacked for un-authorized use.

4. Number of new accounts provisioned. This number should closely follow the number of new joiners to the organization. An effective IAM program should always account for any new user who needs to be granted access to systems and applications. If there's a discrepancy or a significant lag between the number of provisioned accounts and the total number of new joiners for a given period, that indicates inefficient processes or poor identity data.